• Support
  • Forums
  • Blogs

Directives "not logic" doesn't work for multiple exception key words

paquinopaquino

New Life Form
Hello all,

We are trying to add several exception keywords to a directive as you can see bellow, in order to prevent alarms from being triggered when a FireWall does it's job.



Did anyone came upon this problem and how did you solve it?

cheers,
Ped.

Share post:

Answers

  • paquino,

    While there is "some" logic in place for using regex functions within directives in recent versions, this feature set is still in testing, and is not part of our released functionality. As such, there are some cases where behavior will not be consistent across functions. 

    On this functionality is fully tested, it will be announced officially and added to our documentation.
  • This is a problem we are having too. We would to use the USERDATA5 field as a filter to say alarm us on anything that does not = <SID>

    Does anyone know the correct syntax? I have been trying:

    !"SID"     (the actual SID in between the quotes)
    paquino
  • Ripstar  try !SID without quotes. It worked for me for !Administrator  in Username field
    Ripstar
  • I had the same questions regarding what's the logic in the directives.
    I of course searched the documentation for any useful information first and I raised a few AV support tickets just to make sure that I get the "official" response to my questions.
    Here is a summary of what I know.

    Questions I asked:
     
    1. Is the syntax for excluding strings in USERDATA1-8 and USERNAME fields correct using "!"?
    AV reply: The syntax within the field is is !DATA,!DATA2.

    Keep in mind there should not be any spaces, and is read as NOT DATA OR NOT DATA2

    2. Is there an AND or an OR relationship between the fields in the
    More section inside the directives?
    AV reply: It is an AND relationship between fields so think for example: (Username==!DATA1 OR !DATA2) AND (Userdata8 == DATA3)



    3. If I have the original directive
    and also the cloned one under User Contributed, which one takes
    priority? Is the original directive shadowing the new directive I
    created?


    AV reply: One event can trigger multiple directives so no directives takes
    priority as it matches both. that is why we recommend disabling the
    build in directive when coning it.



    4. Is there a documentation page on what syntax is permitted to be used in the More fields? The only thing I found was this: https://www.alienvault.com/forums/discussion/6750/userdata-fields
    AV reply:
    The REGEX and FIND functions in this forum post is not officially supported configuration.

    REGEX and FIND is there but not fully functional and not sanctioned
    for use by our engineering team and we can therefor not support using
    them. (also note that forum post refers to editing the directives via
    jailbreak CLI).
    The syntax within the fields in the GUI is: !DATA,!DATA2

    There is only support for Equals and Not equal. keep in mind the directive only does exact matches.

    You can also review the general guide on directives here:

    https://www.alienvault.com/documentation/usm-appliance/correlation/tutorial-creating-new-directive.htm


    5. Regarding the documentation link
    https://www.alienvault.com/documentation/usm-appliance/correlation/tutorial-creating-new-directive.htm
    , this doesn't cover modifying the data inside the "More" field (e.g.
    USERDATA1-8, USERNAME, etc). Is there any documentation page which
    covers this?

    AV reply: The field under "More" are treated the same as the others, it does exact
    matches or not match on strings as described in my Q4 answer.

    I dont have any documentation that covers those fields specifically.


    6. For directives which contain multiple level rules, can you specify multiple IPs from the higher levels in the FROM and TO fields (the drop down list field "From a parent rule" only allows you to choose one)? Same question for excluding multiple higher level IPs.
    AV reply: You should be able to just type !1:SRC_IP,!2:SRC_IP and so on in the Asset field and then Add IP.

    7. What is the logical relationship between same level correlation rules?
    AV reply: It is an OR relationship.

    8. What is the logical relationship between IPs listed in the TO and FROM fields?
    AV reply:
    If you inserted multiple values into a field such as the Source option1,option2 and so on, it would we read as option1 OR option2.



    However when you are using negate they behave a little differently as they are treated as AND, so if you are inserting !OPTION1,!OPTION2 it
    would be read as: NOT OPTION1, AND NOT OPTION2.



    You should never use both regular and negate withing the same field on the same rule.


    Hope this helps answer your questions (and other possible future questions) as it helped me, since I didn't find this documentation anywhere.
    kratosRipstar
  • Thank you both. I worked with an awesome tech on their staff named Alfredo, who really cleared some things up for me.  The only string I use in directives when selecting the "more" option is:

    1:USERDATA  (Looks for exact string from the previous layer)
    !STRING  (Anything that isn't the string entered)
    STRING  (Matches the string exactly in the user data fields)

    I wasn't able to get any of the regular statements working outside of the simple commands above.

    I will try the "," to add additional strings, that is a useful tip. Also, as said above, no spaces at all and no quotation marks around the string in the user data field.
Sign In or Register to comment.